I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.
Is there an "official/recommended/suggested" page for installing C7 and using mdadm for RAID1 in combination with LUKS encryption? As far as I can tell things seem right but would like to check before proceeding to install lots of other software.
Thanks.
On 4/18/22 1:27 PM, H wrote:
I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.
It may be a good idea to also have / and swap encrypted, since user data can go there easily (logs, locatedb, swapped mem).
I would do: - /boot as a separate RAID1 (md1=sda1+sdb1) - then another RAID1 (md2=sda2+sdb2) using all the remaining disk - luks on top of md2, giving you luks-xxxxx - LVM with a PV on luks-xxxxx - VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem)
Not sure if you can do this setup through the installer, you have to try (in a VM maybe).
Regards.
On 04/19/2022 09:57 AM, Roberto Ragusa wrote:
On 4/18/22 1:27 PM, H wrote:
I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.
It may be a good idea to also have / and swap encrypted, since user data can go there easily (logs, locatedb, swapped mem).
I would do:
- /boot as a separate RAID1 (md1=sda1+sdb1)
- then another RAID1 (md2=sda2+sdb2) using all the remaining disk
- luks on top of md2, giving you luks-xxxxx
- LVM with a PV on luks-xxxxx
- VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem)
Not sure if you can do this setup through the installer, you have to try (in a VM maybe).
Regards.
Thank you. I will have time to get back to this system tomorrow to try this.
On 04/23/2022 09:19 PM, H wrote:
On 04/19/2022 09:57 AM, Roberto Ragusa wrote:
On 4/18/22 1:27 PM, H wrote:
I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.
It may be a good idea to also have / and swap encrypted, since user data can go there easily (logs, locatedb, swapped mem).
I would do:
- /boot as a separate RAID1 (md1=sda1+sdb1)
- then another RAID1 (md2=sda2+sdb2) using all the remaining disk
- luks on top of md2, giving you luks-xxxxx
- LVM with a PV on luks-xxxxx
- VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem)
Not sure if you can do this setup through the installer, you have to try (in a VM maybe).
Regards.
Thank you. I will have time to get back to this system tomorrow to try this.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Roberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or?
Think he might have just missed the fact that you had EFI boot aswell. So then it would be:
/boot md0
/boot/EFI md1
/ md2 -> vg0 -> lvs
Otherwise it was more a suggestion on using encryption for more then just the /home partition since there is always a risk with SWAP etc to have information that you do not want to be read.
My current setup goes:
/dev/mapper/vg0-root / /dev/mapper/vg0-usr /usr /dev/nvme0n1p2 /boot <- this would be a md device in your case /dev/nvme0n1p1 /boot/efi <- this would be a md device in your case /dev/mapper/vg0-home /home /dev/mapper/vg0-var /var /dev/mapper/vg0-tmp /tmp /dev/mapper/vg0-var_tmp /var/tmp /dev/mapper/vg0-var_log /var/log /dev/mapper/vg0-var_log_audit /var/log/audit
Note that we are most likely mixing data redundancy with data security a bit here. So as far as your plan to run a md device for each "partition" needed that is a sound and solid plan.
When it comes to encryption the point is that you might want to have more then just /home protected. But this is very dependent on your threat model. If you have a laptop encryption of all partitions is suggested.
Regards
On 2022-04-24 20:54, H wrote:
On 04/23/2022 09:19 PM, H wrote:
On 04/19/2022 09:57 AM, Roberto Ragusa wrote:
On 4/18/22 1:27 PM, H wrote:
I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.
It may be a good idea to also have / and swap encrypted, since user data can go there easily (logs, locatedb, swapped mem).
I would do:
- /boot as a separate RAID1 (md1=sda1+sdb1)
- then another RAID1 (md2=sda2+sdb2) using all the remaining disk
- luks on top of md2, giving you luks-xxxxx
- LVM with a PV on luks-xxxxx
- VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem)
Not sure if you can do this setup through the installer, you have to try (in a VM maybe).
Regards.
Thank you. I will have time to get back to this system tomorrow to try this.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Roberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 04/29/2022 07:30 AM, Joakim Dellrud wrote:
Think he might have just missed the fact that you had EFI boot aswell. So then it would be:
/boot md0
/boot/EFI md1
/ md2 -> vg0 -> lvs
Otherwise it was more a suggestion on using encryption for more then just the /home partition since there is always a risk with SWAP etc to have information that you do not want to be read.
My current setup goes:
/dev/mapper/vg0-root / /dev/mapper/vg0-usr /usr /dev/nvme0n1p2 /boot <- this would be a md device in your case /dev/nvme0n1p1 /boot/efi <- this would be a md device in your case /dev/mapper/vg0-home /home /dev/mapper/vg0-var /var /dev/mapper/vg0-tmp /tmp /dev/mapper/vg0-var_tmp /var/tmp /dev/mapper/vg0-var_log /var/log /dev/mapper/vg0-var_log_audit /var/log/audit
Note that we are most likely mixing data redundancy with data security a bit here. So as far as your plan to run a md device for each "partition" needed that is a sound and solid plan.
When it comes to encryption the point is that you might want to have more then just /home protected. But this is very dependent on your threat model. If you have a laptop encryption of all partitions is suggested.
Regards
On 2022-04-24 20:54, H wrote:
On 04/23/2022 09:19 PM, H wrote:
On 04/19/2022 09:57 AM, Roberto Ragusa wrote:
On 4/18/22 1:27 PM, H wrote:
I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.
It may be a good idea to also have / and swap encrypted, since user data can go there easily (logs, locatedb, swapped mem).
I would do:
- /boot as a separate RAID1 (md1=sda1+sdb1)
- then another RAID1 (md2=sda2+sdb2) using all the remaining disk
- luks on top of md2, giving you luks-xxxxx
- LVM with a PV on luks-xxxxx
- VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem)
Not sure if you can do this setup through the installer, you have to try (in a VM maybe).
Regards.
Thank you. I will have time to get back to this system tomorrow to try this.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Roberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I am coming back to this topic after a long while. Again, I am installing CentOS 7 on a new machine. Using the graphical installer and following the suggestion above, I first created the /boot partition in RAID1 configuration, then /boot EFI in RAID1 configuration, after which I proceeded to create an LVM in RAID1 configuration for the remainder of the disks using the / partition.
If I understand the above correctly, I should then create /home and swap using this LVM (as well as possibly /var) but do not seem to be able to do so in the graphical installer.
Have I missed something? Or, do I need to do this differently following another path?
Thank you in advance.
On 08/02/2022 02:07 PM, H wrote:
On 04/29/2022 07:30 AM, Joakim Dellrud wrote:
Think he might have just missed the fact that you had EFI boot aswell. So then it would be:
/boot md0
/boot/EFI md1
/ md2 -> vg0 -> lvs
Otherwise it was more a suggestion on using encryption for more then just the /home partition since there is always a risk with SWAP etc to have information that you do not want to be read.
My current setup goes:
/dev/mapper/vg0-root / /dev/mapper/vg0-usr /usr /dev/nvme0n1p2 /boot <- this would be a md device in your case /dev/nvme0n1p1 /boot/efi <- this would be a md device in your case /dev/mapper/vg0-home /home /dev/mapper/vg0-var /var /dev/mapper/vg0-tmp /tmp /dev/mapper/vg0-var_tmp /var/tmp /dev/mapper/vg0-var_log /var/log /dev/mapper/vg0-var_log_audit /var/log/audit
Note that we are most likely mixing data redundancy with data security a bit here. So as far as your plan to run a md device for each "partition" needed that is a sound and solid plan.
When it comes to encryption the point is that you might want to have more then just /home protected. But this is very dependent on your threat model. If you have a laptop encryption of all partitions is suggested.
Regards
On 2022-04-24 20:54, H wrote:
On 04/23/2022 09:19 PM, H wrote:
On 04/19/2022 09:57 AM, Roberto Ragusa wrote:
On 4/18/22 1:27 PM, H wrote:
I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.
It may be a good idea to also have / and swap encrypted, since user data can go there easily (logs, locatedb, swapped mem).
I would do:
- /boot as a separate RAID1 (md1=sda1+sdb1)
- then another RAID1 (md2=sda2+sdb2) using all the remaining disk
- luks on top of md2, giving you luks-xxxxx
- LVM with a PV on luks-xxxxx
- VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem)
Not sure if you can do this setup through the installer, you have to try (in a VM maybe).
Regards.
Thank you. I will have time to get back to this system tomorrow to try this.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Roberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I am coming back to this topic after a long while. Again, I am installing CentOS 7 on a new machine. Using the graphical installer and following the suggestion above, I first created the /boot partition in RAID1 configuration, then /boot EFI in RAID1 configuration, after which I proceeded to create an LVM in RAID1 configuration for the remainder of the disks using the / partition.
If I understand the above correctly, I should then create /home and swap using this LVM (as well as possibly /var) but do not seem to be able to do so in the graphical installer.
Have I missed something? Or, do I need to do this differently following another path?
Thank you in advance.
I am still stuck on the above and would love to hear some suggestion(s).
Thank you.
On 04/24/2022 02:54 PM, H wrote:
On 04/23/2022 09:19 PM, H wrote:
On 04/19/2022 09:57 AM, Roberto Ragusa wrote:
On 4/18/22 1:27 PM, H wrote:
I have a new computer with 2 x 2TB SSDs where I wanted to install C7 and use mdadm for RAID1 configuration and encrypting the /home partition. On the net I found https://tuxfixer.com/centos-7-installation-with-lvm-raid-1-mirroring/ which I adopted slightly with respect to partition sizes, using RAID1 for /boot and /root as well and added the /home partition with RAID1 and chose to have /home encrypted.
It may be a good idea to also have / and swap encrypted, since user data can go there easily (logs, locatedb, swapped mem).
I would do:
- /boot as a separate RAID1 (md1=sda1+sdb1)
- then another RAID1 (md2=sda2+sdb2) using all the remaining disk
- luks on top of md2, giving you luks-xxxxx
- LVM with a PV on luks-xxxxx
- VG and LVs for swap, / and /home (do not assign all the available space now, especially if using xfs as filesystem)
Not sure if you can do this setup through the installer, you have to try (in a VM maybe).
Regards.
Thank you. I will have time to get back to this system tomorrow to try this.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Roberto, what would the advantage(s) be with your setup, ie one RAID1 array for everything but /boot compared to what I had done, ie three RAID1 arrays for /boot/efi RAID1, /boot RAID1 and one LVM-RAID1 for / and /home? As a naive user it would seem to me that the setup I did would be more resilient if a disk fails, or?
Did not get any response to the above and I will have an opportunity to work with this computer again in a few days.
If I were to partition the disks as suggested above - and which is not supported by the CentOS 7 installation software (anaconda?) - which software would be suggested to use to partition the disks prior to installing CentOS 7?
Thank you in advance.
-
H -
Joakim Dellrud -
Roberto Ragusa